Page MenuHomeVyOS Platform
Create Task
Maniphest T3853

nat66 rules gets deleted on reboot in 1.4-rolling-202109240217
Closed, ResolvedPublic
Actions

Description

Hello,

I have this nat66 rules:

set nat66 source rule 1 outbound-interface 'tun0'
set nat66 source rule 1 source prefix 'fc00:25:f1cd:11:1::/80'
set nat66 source rule 1 translation address '2001:2002:d9d1:e2a4:1::/80'
set nat66 source rule 2 outbound-interface 'tun0'
set nat66 source rule 2 source prefix 'fc00:25:f1cd:11:2::/80'
set nat66 source rule 2 translation address '2001:2002:d9d1:e2a4:2::/80'

When rebooting vyos the config load takes a lot of time, and then it says "migrate firewall configure, Failed, configuration error", when it boots completely the nat66 rules are gone.

If I boot without any nat66 rules, there is no migration error.
Can it be fixed?

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects
Search...

Event Timeline

danielpo created this task.Sep 24 2021, 6:02 AM
danielpo created this object in space S1 VyOS Public.
Viacheslav changed the task status from Open to Confirmed.Sep 24 2021, 9:32 AM
Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav added a subscriber: Viacheslav.
[  OK  ] Finished Update UTMP about System Runlevel Changes.
[  117.227867] vyos-router[751]: Starting VyOS router: migrate firewall configure
[  117.228588] vyos-router[2121]:  failed!
[  117.482910] vyos-config[1646]: Configuration error

Welcome to VyOS - r1-roll ttyS0
r1-roll login: 


vyos@r1-roll:~$ show conf com | match nat
vyos@r1-roll:~$ 
vyos@r1-roll:~$ 
vyos@r1-roll:~$ conf
[edit]
vyos@r1-roll#
vyos@r1-roll# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@r1-roll# compare 
+nat66 {
+    source {
+        rule 1 {
+            outbound-interface tun0
+            source {
+                prefix fc00:25:f1cd:11:1::/80
+            }
+            translation {
+                address 2001:2002:d9d1:e2a4:1::/80
+            }
+        }
+        rule 2 {
+            outbound-interface tun0
+            source {
+                prefix fc00:25:f1cd:11:2::/80
+            }
+            translation {
+                address 2001:2002:d9d1:e2a4:2::/80
+            }
+        }
+    }
+}
[edit]
vyos@r1-roll# commit
[edit]
vyos@r1-roll#
Viacheslav added a comment.Sep 24 2021, 9:37 AM

Additional logs:

Sep 24 12:32:23 r1-roll systemd[1]: Starting NDP Proxy Daemon...
Sep 24 12:32:23 r1-roll ndppd[2150]: (notice) ndppd (NDP Proxy Daemon) version 0.2.4
Sep 24 12:32:23 r1-roll ndppd[2150]: (notice) Using configuration file '/run/ndppd/ndppd.conf'
Sep 24 12:32:23 r1-roll ndppd[2150]: (warning) Low prefix length (80 <= 120) when using 'static' method
Sep 24 12:32:23 r1-roll ndppd[2150]: (warning) Low prefix length (80 <= 120) when using 'static' method
Sep 24 12:32:23 r1-roll systemd[1]: ndppd.service: Can't open PID file /run/ndppd/ndppd.pid (yet?) after start: Operation not permitted
Sep 24 12:32:23 r1-roll kernel: [  131.465473] NET: Registered protocol family 17
Sep 24 12:32:23 r1-roll isisd[1006]: circuit already connected
c-po added a subscriber: c-po.Sep 26 2021, 10:56 AM

Related to T3863 and could also be a XML priority issue as NAT66 has a higher priority then e.g. the tunnel interface

Viacheslav added a comment.Sep 27 2021, 5:54 PM

PR https://github.com/vyos/vyos-1x/pull/1016
Change priority for nat66

Viacheslav changed the task status from Confirmed to Needs testing.Sep 27 2021, 6:04 PM
Viacheslav claimed this task.

@danielpo Will be fixed in the next rolling release.

c-po closed subtask T3863: nat66: commit fails/hangs on non existing interface as Resolved.Sep 27 2021, 6:54 PM
danielpo added a comment.Sep 28 2021, 6:31 AM

It works now! Thanks!

Viacheslav closed this task as Resolved.Sep 28 2021, 7:07 AM